The National Privacy Commission said on Wednesday, Aug. 25, that it has ordered the immediate takedown of four online lending apps (OLAs) — JuanHand, Pesopop, CashJeep, and Lemon Loan — for violating the data privacy rights of borrowers.
The apps have been the subject of various complaints of unauthorized use of personal data that resulted in harassment and shaming of borrowers and are currently being investigated for violations of the Data Privacy Act and other NPC issuances.
The NPC said the apps have gained access to a trove of information in the borrowers’ mobile devices, including contacts and social media data, that are excessive and may be weaponized to harass and shame delinquent borrowers using the contact list in their mobile devices.
NPC chair Raymund Liboro said the orders banning the four apps “are crucial to prevent serious privacy risks and protect and preserve the privacy rights of data subjects.”
“These online lending apps raised many red flags and the companies operating these apps demonstrate problematic data actions that expose borrowers to serious privacy risks and harms,” Liboro said.
Companies operating the apps were provided the opportunity to reply to NPC’s findings, but two of the apps did not file position papers, while the other two failed to convince the agency why it should not impose the ban.
The ban will remain in effect until it is lifted by the NPC.
Meanwhile, the NPC said it continues to investigate the possible criminal liabilities of the operators, directors, officers, and agents of the lending apps.
In four separate orders, the NPC directed Wefund Lending Corporation, Joywin Lending Investor, Cash8 Lending Corporation, and Populus Lending Corporation – operators of Juan Hand, Lemon Loan, CashJeep, and Pesopop, respectively – to halt the processing of their borrowers’ personal data.
The privacy body said the apps were engaged in “irrelevant, unnecessary, and excessive” harvesting of personal and sensitive information without borrowers’ free and informed consent.
The NPC has furnished copies of the orders to the National Telecommunications Commission (NTC) to take down the four apps from the Internet and to Google to remove them from the Google Play Store.
The agency issued the orders based on the findings of the NPC’s Complaints and Investigation Division (CID) which examined the apps and found that these violated the principles of transparency, legitimate purpose, and proportionality in the Data Privacy Act of 2012 and the NPC issuance on the Processing of Personal Data for Loan Related Transactions (NPC Circular No. 20-01).
The four apps have gained access to practically all the data in a borrower’s mobile device, according to NPC’s CID, which simulated the registration process of loan applicants and evaluated source codes.
The apps can process information ranging from a borrower’s sensitive personal data, location, photos, media files, emails, contact lists, and data from social media platforms like Facebook and Instagram.
The NPC said this level of access amounts to the borrower’s complete surrender of all data in his mobile device and other information that the lender can collect from third parties, such as employers, utilities, government agencies, remittance companies, and insurance and financial services providers.
In particular, JuanHand has an invasive manner of using personal data. It can read a borrower’s calendar of events and confidential information, add, and modify calendar events, and send emails to contacts without the borrower’s knowledge.
In addition, CID’s Fact-Finding Report found that borrowers have unwittingly granted JuanHand a “permanent right” to use the “true, up-to-date, valid and complete information” they have provided so they can avail themselves of a loan.
Based on Google’s statistics, JuanHand has been downloaded more than 1 million times; Lemon Loan and Pesopop, more than 500,000 times each; and CashJeep, over 100,000 times.
The NPC said it is currently studying and investigating more than 200 OLAs available for download and will issue orders and other actions according to the investigation results.
This is not the first time that the NPC has cracked down on OLAs. In October 2019, the agency issued a ban against 26 OLAs for failing to appear before it and answer allegations, such as the use of personal data to shame delinquent borrowers.
Through NPC’s coordination with the NTC and Google, the 26 OLAs were taken down, and the apps are no longer publicly available for download, installation, or use. Recently, the NPC has opened a channel with Google’s regional office for the immediate execution of its orders.